CVE-2021-22773 : Security Advisory and Response
Discover the details of CVE-2021-22773, a CWE-620 vulnerability in Schneider Electric EVlink products allowing unauthorized password changes. Learn about impacts, affected systems, prevention, and mitigation strategies.
A CWE-620 vulnerability has been identified in EVlink City, EVlink Parking, and EVlink Smart Wallbox devices that allows an attacker to modify a user's password through the charging station's web server.
Understanding CVE-2021-22773
This CVE involves an unverified password change vulnerability in Schneider Electric's EVlink products.
What is CVE-2021-22773?
The CVE-2021-22773, also known as a CWE-620 vulnerability, enables a malicious actor connected to the charging station web server to alter a user's password.
The Impact of CVE-2021-22773
The impact of this vulnerability is significant as it allows unauthorized password changes, posing a serious security risk to users of the affected Schneider Electric EVlink devices.
Technical Details of CVE-2021-22773
This section delves into the specifics of the vulnerability affecting EVlink City, EVlink Parking, and EVlink Smart Wallbox devices.
Vulnerability Description
The vulnerability allows an attacker to change a user's password by exploiting the unverified password change mechanism in the affected Schneider Electric products.
Affected Systems and Versions
EVlink City (EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1), EVlink Parking (EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1), and EVlink Smart Wallbox (EVB1A all versions prior to R8 V3.4.0.1) are all impacted.
Exploitation Mechanism
The vulnerability can be exploited by an attacker connected to the charging station web server, enabling them to change a user's password without verification.
Mitigation and Prevention
To mitigate the risks associated with CVE-2021-22773, immediate action and long-term security practices are essential.
Immediate Steps to Take
Users should update their Schneider Electric EVlink devices to the latest version (R8 V3.4.0.1) to patch the vulnerability and prevent unauthorized password changes.
Long-Term Security Practices
Implementing strong password policies, regularly updating firmware, and monitoring for any unauthorized access attempts are recommended security practices for safeguarding EVlink devices.
Patching and Updates
Regularly checking for and applying firmware updates released by Schneider Electric is crucial for ensuring the security of EVlink City, EVlink Parking, and EVlink Smart Wallbox devices.